-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
URL: http://wordpress.org/
Version: Wordpress 1.2.1
Risk: XSS
* Description
WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability. [...]
Visit http://wordpress.org/ for detailed information.
* Summary
After a quick reread of the wordpress source code I was very
disappointed about the improvements in the new version 1.2.1 of
wordpress. The developers did not fix all flaws I mentioned in my last
advisory [1] and they did not improve the code of the files in the
administration panel. There were still a lot of XSS vulnerabilities.
So I contaced the main developer again on October 28th and posted the
notice about several security flaws in their support forum to be sure
the message reaches the developers. On December 15th - yesterday - they
released a fixed version.
* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable than the 1.2
release cause of this new "feature" in `wp-login.php'.
> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
> != get_settings('siteurl') )
> update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
> $_SERVER['REQUEST_URI']) );
With an URI like ...
/wp-login.php?="><script>alert(document.cookie)</script></script>
... an attacker was able to store arbitrary values in the global siteurl
setting.
Another issue was that an administrator or privileged user was able to
post messages, add new categories, change profile values etc. with HTML
code in it.
Still vulnerable in WP-1.2.1:
/wp-login.php?redirect_to=[XSS]
/wp-admin/bookmarklet.php?popupurl=[XSS]
/wp-admin/bookmarklet.php?content=[XSS]
XSS vulns they did not fix:
/wp-admin/edit-comments.php?s=[XSS]
/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/link-add.php?linkurl=[XSS]
/wp-admin/link-add.php?name=[XSS]
/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
/wp-admin/link-manager.php?order_by=[XSS]
/wp-admin/link-manager.php?cat_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
/wp-admin/post.php?content=[XSS]
/wp-admin/moderation.php?action=update&item_approved=[XSS]
SQL errors:
/index.php?m=bla
/wp-admin/edit.php?m=bla
/wp-admin/link-categories.php?cat_id=bla&action=Edit
* Solution
Upgrade to Worpress 1.2.2 [2]
* Credits
Thomas Waldegger
[1] http://www.securityfocus.com/archive/1/376766
[2] http://wordpress.org/development/2004/12/one-point-two-two/
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFD9YCYkCo6/ctnOpYRA+hjAJ9RFrEuKfnkxKtCkUns08A6clm0xACcCJWg
VkY1HiosBvsB2237bddPVAU=
=0R15
-----END PGP SIGNATURE-----